Skip to main content

Procurement and Security Review Appendix

Use this appendix when adopting any external runtime, protocol, or agent framework.

Vendor/repo intake checklist

Source repository and owner verified
License compatibility approved
Security posture reviewed (advisories, release cadence, maintainer activity)
Dependency risk profile reviewed
Data handling and telemetry defaults reviewed

Mandatory contract controls

MCP-required tool integration profile enabled
A2A usage scoped to approved cross-runtime workflows
Agent contract deny-by-default policy enabled
Human approval checkpoints preserved for production changes

Legal and compliance checks

Attribution policy accepted and documented
Copyleft restrictions reviewed before embedding code
Third-party notices retained where required
Regional privacy/sovereignty overlays evaluated

Security review checks

Threat model for orchestrator/runtime integration
AuthN/AuthZ path for tools and runtime APIs
Secret handling and redaction controls
Incident response ownership and escalation SLAs

Release approval package

Runtime adapter mapping document
Control evidence checklist completion
License and attribution manifest outputs
Risk acceptance or waiver records (if any)

Vendor/repo intake checklist
Mandatory contract controls
Legal and compliance checks
Security review checks
Release approval package